>From a cloud-init perspective, one area of concern is around
manipulation of sshd config.

Cloud-init does make changes to sshd config, in particular it controls
the PasswordAuthentication value based on cloud-config values,
ssh_pwauth: <yes/no/unchanged>.

Cloud-init will read in sshd, update a key/value and write out the file
and then restart the service.  See the code for details.

https://github.com/canonical/cloud-
init/blob/master/cloudinit/config/cc_set_passwords.py#L97

The second area of concern user confusion.  Typical work-flows for
cloud-init user-data include importing and setting ssh keys for users.
In the ec2-instance-connect workflow; the user-data cloud-init writes to
the instance won't actually be used, rather ec2-instance-connect will
query ec2 for what the current set of authorized keys.  The sshd man
page suggests that if the response does not include output that can
verify the key it will fallback to reading .ssh keys.  It's not clear to
me (or users) which keys were used to authorize access to the system.

I would also express additional concern in the area of time to ssh into
instances; with this feature enabled, there is additional overhead for
each and every ssh connection.

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1835114

Title:
  [MIR] ec2-instance-connect

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ec2-instance-connect/+bug/1835114/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to